Share via

Azure Static Web App Entra ID setup – redirecting to common instead of MyCompany tenant

Shrikant Shivpuje 0 Reputation points
2025-08-19T13:09:05.41+00:00

I’ve built an Azure Static Web App (React frontend) with an Azure Function (Python backend), currently hosted on the Azure free plan. I’m trying to configure Azure Entra ID authentication.

So far, I’ve:

Set up the secrets and redirect URI.

Updated staticwebapp.config.json with authentication routes.

Granted admin consent (as per the instructions).

However, the authentication flow isn’t working as expected:

When I access the app URL, I get the Microsoft login screen.

After entering credentials and authenticating, I still see “admin consent required.”

I haven’t added any authentication code (like MSAL) in my app, since documentation suggests this can work without MSAL.

After re-granting admin consent, I can now log in successfully with my MyCompany Entra ID account, but there are two issues:

The login screen also accepts personal Microsoft accounts, which I want to restrict.

The login flow is redirecting to the “common” endpoint instead of my MyCompany tenant-specific endpoint.

Here’s an example of the login request URL:

https://login.microsoftonline.com/common/oauth2/v2.0/authorize?................

My staticwebapp.config.json already specifies:

"openIdIssuer": "https://login.microsoftonline.com/
Azure Static Web Apps
Azure Static Web Apps
An Azure service that provides streamlined full-stack web app development.

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Siva Nair 520 Reputation points Microsoft External Staff Moderator
    2025-08-20T16:46:23.3466667+00:00

    Hi Shrikant Shivpuje,

    By default, Azure Static Web Apps always uses the common endpoint unless you explicitly override it with a tenant-specific openIdIssuer. common means any Microsoft account (work, school, personal) can attempt login. That’s why personal accounts are still being accepted.

    How to force tenant-specific login (MyCompany only)

    Update your staticwebapp.config.json so that openIdIssuer points directly to your tenant ID, not common.

    Example:

    {
  "auth": {
    "identityProviders": {
      "azureActiveDirectory": {
        "registration": {
          "openIdIssuer": "https://login.microsoftonline.com/<your-tenant-id>/v2.0"
        }
      }
    }
  }
}

    Replace <your-tenant-id> with either:

    • Your GUID tenant ID (preferred), or
    • Your verified domain (mycompany.com)

    To stop personal accounts-

    If you use the tenant-specific issuer (https://login.microsoftonline.com/<tenant-id>/v2.0), personal Microsoft accounts won’t even be able to sign in.

    If you keep /common, you’d have to rely on app-level policies or conditional access to block them, but tenant-specific issuer is cleaner.

    Still see “admin consent required” sometimes. That usually means:

    The Entra app registration didn’t have permissions granted at tenant level. (Re-check API permissions → Grant admin consent).

    Or, you were still authenticating against common instead of your tenant (so consent wasn’t recognized properly).

    Switching to a tenant-specific openIdIssuer fixes this.

    steps-

    1. Change your staticwebapp.config.json to use tenant-specific openIdIssuer.
    2. Redeploy the Static Web App.
    3. Test login — you should only see the MyCompany login page, no personal accounts.

    https://learn.microsoft.com/en-us/azure/static-web-apps/authentication-authorization

    similar - https://learn.microsoft.com/en-us/answers/questions/1418104/how-can-you-limit-which-tenant-authentication-is-a

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.